TERM PAPER REPORT

ON

CYBER SECURITY: ETHICAL HACKING AND BIOMETRIC

AUTHENTICATION

SUBMITTED TO

AMITY UNIVERSITY UTTAR PRADESH

In partial fulfilment of the requirements of the

Award of the degree of

Bachelor Of Technology

In

Computer Science and Engineering

By

Dhanishta Gupta

Enrolment Number: A2372021005

Under the guidance of Dr. Shuchi Mala

Department of Computer Science

Amity School Of Engineering and Technology

Amity University Noida

Uttar Pradesh
 DECLARATION BY THE STUDENT

I, Dhanishta Gupta, student of B.Tech(CSE-3C) hereby declare that the project titled
“Cybersecurity: Ethical Hacking And Biometric Authentication” which is submitted
by me to the Department Of Computer Science, Amity School Of Engineering And
Technology, Amity University Uttar Pradesh, Noida, in partial fulfilment of requirement
for the award of the degree of Bachelor Of Technology(CSE), has not been previously
formed the basis for the award of any degree, diploma or other similar title or recognition.

The Author attests that permission has been obtained for the use of any copy righted
material appearing in the report other than brief excerpts requiring only proper
acknowledgement in scholarly writing and all such use is acknowledged.

Signature: Date:15/07/2022
 CERTIFICATE

On the basis of the report submitted by Dhanishta Gupta, student of B.Tech (CSE-3C),
I hereby certify that the report entitled “Cybersecurity: Ethical Hacking and Biometric
Authentication” which is submitted to the Department of Computer Science and
Technology, Amity School of Engineering and Technology, Amity University Uttar
Pradesh in partial fulfilment of the requirement for the award of the degree of Bachelor
of Technology (CSE) is an original contribution with existing knowledge and faithful
record of work carried out by her under my guidance and supervision.

To the best of my knowledge this work has not been submitted in part or full for any
Degree or Diploma to this University or elsewhere.

Place: Noida

Date: 29/07/2022

Dr. Shuchi Mala

(Assistant Professor)

Department Of Computer Science and Engineering

Amity School Of Engineering and Technology (ASET), AUUP

 ACKNOWLEDGEMENT

The satisfaction that accompanies the successful conclusion of any task would be
inadequate without the mention of people whose perpetual cooperation made it possible,
whose constant guidance and inspiration crown all efforts with success. I would like to
thank Professor (Dr) Abhay Bansal, Head of Department-CSE, and Amity University for
providing me the chance to start this project. I would like to show gratitude to my faculty
guide who is the major driving force behind my successful completion of the project. She
has been always there to solve any question of mine and also guided me in the right
direction about the project. Without her help and motivation, I would not have been able
to complete the project. Also, I would like to express gratitude towards my batch mates
who guided me, assisted me, and gave ideas and motivation at each step.

Dhanishta Gupta
 TABLE OF CONTENTS

S.No TOPIC PAGE NO.

- Abstract -

1. Introduction 1-2

2. Types of Cybersecurity Threats 3-4

3. Types Of Attacks 5-8

4. Cybersecurity Frauds of Recent Times 9-10

5. Hacking 11-12

6. Ethical Hacking 13-17

i. Definition
ii. Need/Importance
iii. Steps Of Ethical Hacking
iv. Forms Of Ethical Hacking
v. Key Concepts
vi. Code Of Ethics
vii. Limitations

7. Biometric Authentication 18-21

i. Definition
ii. Methods
iii. Components of a Biometric
Authentication Device
iv. Advantages
v. Disadvantages
vi. Current Uses

8. Conclusion And Discussion 22

9. References 23-24
 ABSTRACT

With the cyber risks increasing at an alarming rate, cyber security has become an
inseparable part of protection of privacy and data of the user. This report focusses on
getting a better insight into cybersecurity and one of its two aspects: Ethical hacking and
Biometric Authentication.

Every day we come across several cases of cybercrimes, data breaches, manipulation of
the user data. All these take place because of weak security measures like passwords, pins
but most of all presence of many loop holes in the system. These weaknesses can be
removed to a large extent by making use of Ethical Hacking. While passwords, pins,
patterns etc provide security they can still be vulnerable to the malicious attackers.
Biometric Authentication provides a safe and way more efficient alternative to these
because it’s difficult to hack it as it makes use of the various biological aspects of the
user. Therefore, the data is much safer and more protected.
 1. INTRODUCTION

“If we know our enemies and know ourselves, we will not be imperiled in a hundred
battles. However, if we don’t know our enemies and neither ourselves, we will be
imperilled in every single battle”.

This famous quote was given by the Chinese military General Sun Tzu (Sun Tzu,
2018). Just like the above quote, if we know about our attackers and their attack
techniques, we can defend our system better and also protect it. This is what cybersecurity
is all about.

Cybersecurity maybe defined as the practice of defending computers, servers, mobile

devices, electronic systems, networks, and data from malicious attacks. In other words, it
is the body of technologies, processes, and practices designed to protect networks,
devices, programs, and data from attack, theft, damage, modification or unauthorized
access.

It is also known as information technology security or electronic information

security.

With easier access to internet, increase in globalisation and modernisation of countries

there is a rapid increase in the usage of smartphones, all of which have led to a drastic
rise in the population of internet users. In 2021, number of internet users worldwide stood
at 4.7 billion, which means that almost 2/3 of the global population is currently connected
to the world wide web.

Number of internet users worldwide from 2012 to 2021 (in billions)

1
With such an upgrade in the number of internet users, protection of user data and their
privacy becomes the top priority of various companies because of the increase in the
vulnerability of this data. This is where cyber security comes into play. Cybersecurity
protects the data from widespread attack by hackers, viruses and vulnerabilities present
in the system. If there is no cybersecurity and a company falls victim to a cyberattack,
then the direct damage is the loss of data and the indirect damage includes loss of business
as people lose trust in the company like in the case of a data breach. If a person falls
victim to a cyberattack, they can face loss of data as well as privacy making them
vulnerable to cybercrimes.

There are various methods by which we can perform cybersecurity. These include
Malware Analysis, IOT, Virtualization, Omega, BOT Detection, Intrusion Detection,
Phishing and Scamming, Biometric Authentication, Wireless & Sensor Network Security,
Spatial Location (Geo Location) and Cyber Travel. There is also Ethical Hacking which
plays a major role in the cybersecurity of any system. In this report, we shall focus on the
two majorly used cybersecurity methods: Ethical Hacking and Biometric
Authentication.

2
 2. TYPES OF CYBERSCURITY

i. Application Security: Application security aims to protect software application

code and data against cyber threats. It focuses on finding and fixing vulnerabilities
in application codes to form safer apps.

ii. Network Security: Network security is a broad term that covers a multitude of
technologies, devices and processes. In its simplest term, it is a set of rules and
configurations designed to protect the integrity, confidentiality and accessibility
of computer networks and data making use of both software and hardware
technologies.

iii. Operational Security: The type of security and risk management process that
prevents vulnerable data and information from landing into the hands of malicious
attackers is called Operational Security. It is not only a process but a strategy also
as it helps to inspect the operations and the security system from the point of view
of a potential attacker. It involves several analytical activities and processes like
monitoring the behaviour, social media, security best practice etc.

iv. Information Security: Information security means the protection of information

from unauthorized access, use, disclosure, disruption, modification, perusal,
inspection, recording, or destruction. It not only controls physical access to
facilities where information is processed, stored, and/or transmitted but also
controls access to information and information systems by employees and other
users. It safeguards data integrity and privacy during its storage and transmission
from one machine to another.

v. End-User Education: This is a part of the management security control that

comes under the category of awareness training. It is a vital part of the security
program, as the users who are uneducated in security practices can cause
irreparable damage to an organization. The end-user is usually the weakest link
when it comes to cybersecurity and that is what attackers are counting on. Thus,
it is extremely important to teach the end-users to delete suspicious emails,

3
 refraining from plugging in unidentified USB drives, and other essential lessons
are vital for shielding corporate security.

vi. Disaster Recovery and Business Continuity: Disaster recovery (DR) is a

sequence of procedures designed to restore essential business activities as soon as
possible, followed by restoring less critical workloads during a disruptive
incident. This is known as disaster recovery (DR). In other words, the primary
goal of DR is to minimize downtime and restart all systems and applications while
reducing data loss. Business continuity is the list of procedures that allows a
company to resume its mission-critical operations as quickly as possible following
a disruptive event. It is a comprehensive strategy that combines all available
resources while specifying individual and organizational responsibilities. A
business continuity plan details the essential services, such as IT infrastructure
and communication channels, that should be maintained during disruption and the
steps to achieve that.

4
 3. TYPES OF ATTACKS

I. Malware: Malware is malicious software such as spyware, ransomware,

viruses and worms. Malware is activated whenever the user clicks on a
malicious link or attachment, which leads to installing dangerous software.
Once malware is activated it can:

i. Lead to the blockage of access to key network components. In other words,

ransomware.

ii. Lead to the installation of harmful software

iii. Sneakily get information by getting the data transfer from the hard drive, that is
spyware

iv. Hinder individual parts, making the system crash

Malware can be of several types:

5
a) Viruses: Viruses are malicious code that can replicate themselves and modify the
functionality of other programs by inserting their code into the system. This
behaviour corrupts the whole computer program. However, for the virus to
manifest, it must be triggered by the host.

b) Worms: Worms are similar to viruses in replicating themselves, but they do not
need any external trigger. As soon as they break into the system, they can self-
propagate independently without any activation. There is no need to execute the
malicious code, and no human intervention is required.

c) Trojans: Trojans are illegitimate code or software that disguise themselves as a

trusted source to trick the victim to download it. After download, once the file is
executed, it takes control of the system to perform malicious activities.

d) Ransomware: It is a malware that encrypts the victim’s data thereby denying

access to the original party. On the successful installation of the demanded ransom
by the cybercriminal, the target gets the decryption key.

e) Malvertising: Malvertising refers to the injection of maleficent code to legitimate

online advertising networks, which redirects users to unintended websites.

II. Phishing: In Phishing, an attacker masquerades as a trusted entity (a

legitimate person/company) to obtain sensitive information by means of
manipulating the victim. It is achieved by any kind of user interaction, such as
asking the victim to click on a malicious link, download a risky attachment,
etc. to get confidential information, including credit card information
(carding), usernames, passwords, and network credentials. Phishing usually
targets a larger number of recipients.

III. SQL Injection: SQL stands for structured query language. In general, users
do not have permission to interact with the database of an application.
However, in SQL injection, the attacker inserts the vicious code inside the
backend database by illegal means. It is then used to carry out SQL operations
such as add, insert, or delete on the data to modify it, resulting in the loss of

6
 data integrity. SQL injection costs an organization with reputational loss and
lack of trust from customers due to the leakage of sensitive information, users’
personal data, credit card details, and passwords by the attacker’s
unauthorized access.

IV. Denial-of-service attack (DoS): The goal of the Denial-of-Service attack is

to make the service unavailable by flooding or crashing the system with
voluminous traffic that the server cannot accommodate. In DoS, a single
hacker/attacker penetrates the victim’s system. DoS attacks can be of different
types:

a) Buffer Overflow Attack

b) ICMP Flood/Pink Flood
c) SYN Flood
d) Tear Attack

V. Man-in-the-middle attack (MitM): In a Man-in-the-Middle attack, the

attackers put themselves in-between the operator and the receiver in order to
disrupt the communication flow. The motive is to steal trade secrets,
eavesdrop to gain personal data, and impersonate genuine entities to get
information such as credit card details.

It can be done through various methods which include:

7
a) DNS Spoofing: In DNS spoofing, the attacker manipulates a user to visit a fake
website by diverting the user from a website that they were aiming to browse to
another malicious website. The thought behind it is to make people believe that
they are landing on a secure and trusted website while they actually end up
interacting with a fraudulent application/website. This way, the attacker can
diverge and get the real website traffic to have illegal access to login credentials.

b) Email Hijacking: In the case of Email Hijacking, the attacker spoofs a trusted
institution to convince the users to provide personal information. For example, an
attacker who disguises him/herself as a trusted bank sends an email to the
customers and convinces them to follow the attackers’ instructions. The victims
might end up doing some transactions with the attacker than the bank.

c) Wi-Fi Eavesdropping: Public Wi-Fi always comes with a risk. Attackers can
easily set up a fake Wi-Fi that tricks the user into intercept as a legitimate
connection. This malicious act is pulled off easily by establishing the wi-fi with
familiar business names. Wi-Fi eavesdropping helps cybercriminals read the users
cookies, monitor their online activities, get payment information, and login
credentials, etc.

VI. Password Attacks: With the right password, a cyber attacker has access to a
wealth of information.

VII. Drive-by Attack: When the system has security flaws because of a lack of
updates on OS, app, or browser, an attacker can trigger the unintentional
download of malicious code to the targeted computer or mobile device,
making it vulnerable. In this attack, the victim may not necessarily have to
click on any links, open a malicious email attachment, or download any files.

8
 4. CYBERSECURITY FRAUDS OF RECENT TIMES

As the world is becoming increasingly digital, the criminals are also following suit. They
have also become technologically advanced, adapting new methods to infiltrate systems
and access sensitive information. There are many reasons for the surge in the rate of
online crimes. These include accessibility of malicious tools and techniques, the
anonymity of being able to hide behind a screen. The global pandemic of COVID-19 has
also contributed tremendously for the surge in these crimes. There will definitely be a
surge in these crimes in the coming years. According to TechTarget this increase will lead
to more than 33 billion records to be stolen by cybercriminals by 2023, an increase of
175% from 2018.

Let us look at some of the cybercrimes that have been committed in the year 2022 so far:

1. Crypto.com

In the month of January, Crypto.com suffered a serious breach. They learned that
a small number of their users had unauthorized crypto withdrawals on their
accounts.

The criminals were able to approve transactions and override the two-factor
authentication on the site. Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC
and approximately US $66,200 in other currencies. Crypto.com promptly suspended
withdrawals for all tokens to initiate an investigation and worked around the clock to
address the issue. No customers experienced a loss of funds. In the maximum number of
cases, they prevented the unauthorized withdrawal, and in all other cases the customers
were fully reimbursed.

2. Red Cross

This attack came to light on the 18th January 2022 and resulted in the data of more than
515,000 vulnerable people to have been compromised. The International Committee of
the Red Cross (ICRC) disclosed that the information that had been compromised related
to their Restoring Family Links programme (assisting people that got separated from their

9
families due to conflict, or disaster, making the missing people reunite with their families
and helping people in detention). The ICRC stated that its attackers used advanced
hacking tools that are linked to advanced persistent threat groups (APT) with nation-state
links and used obfuscation techniques. The attack was found to be highly targeted with a
special code that was written specifically to be executed on the ICRC’s servers. The
malicious files used by the attackers were crafted to bypass the ICRC’s anti-malware
tools. It wasn’t until ICRC installed new Endpoint Detection and Response (EDR) tools
that the files were detected. The attackers were thought to have first infiltrated the systems
on 9th November 2021 and remained on the systems undetected for 70 days.

3. The Works

On the 5th April 2022, The Works was forced to close 5 of its stores following a
cyberattack. Other disruptions were caused by the attack, including delays the resupply
of stock and order deliveries to customers. The retailer initially discovered the attack one
week prior to its store closures, after being notified of the breach by its security firewall.
No customer payment data had been compromised. Although the company can rule out
that “There is no risk that this payment data has been accessed improperly,” they did not
confirm what data had been accessed by the hackers. The nature and motive of the attack
still remains undisclosed, although some sources suggest a ransomware attack.

4. British Army

The British Army’s online recruitment portal was taken offline for more than a month
following a data breach. The enrolment system was shut down in the middle of March
after the personal data of more than 100 army recruits was made available for sale on the
dark web. The information that was exposed is said to have included full names, dates of
birth, addresses, qualifications and previous employment details. Member of parliament
Mark Francois, a former defence minister, said: “This security breach is extremely
concerning, not least in light of Russia’s war in Ukraine and Russia’s long history of
hostile cyber operations."

10
 5. HACKING

The effort to attack a computer system or a private network inside a computer is known
as hacking. Simply, it is unauthorized access to or control of computer network security
systems with the intention of committing a crime. Hacking maybe defined as the process
of finding some security holes in a computer system or network in order to attain access
to personal or corporate information.

The unauthorized users who gain access to computers in order to steal, alter, or delete
data, generally by installing malicious software without the knowledge or agreement of
the owner are called Computer Hackers.

There are various types of Computer Hackers:

i. Black Hat Hackers: These types of hackers, often known as crackers and
always have a malicious motive and gain illegal access to computer networks
and websites. Their goal is to make money by stealing secret organizational data,
stealing funds from online bank accounts, violating privacy rights to benefit
criminal organizations, and so on.

ii. White Hat Hackers/Ethical Hackers: White hat hackers (sometimes referred
to as ethical hackers) are the polar opposites of black hat hackers. They employ
their technical expertise to defend the planet against malicious hackers. White
hats are employed by businesses and government agencies as data security
analysts, researchers, security specialists, etc. White hat hackers, with the
permission of the system owner and with good motives, use the same hacking
tactics that the black hackers use. They can work as contractors, freelancers, or
in-house for the companies. They assist their customers in resolving security
loopholes before criminal hackers have a chance to exploit them.

iii. Gray Hat Hackers: These types of hackers fall somewhere in the range of the
above-mentioned types of hackers therein they gain illegal access to a system
but do so without any malicious intent. The goal is to reveal the system’s
weaknesses. Rather than exploiting vulnerabilities for unlawful gains, these
types of hackers may offer to repair vulnerabilities they’ve identified through

11
 their own unauthorized actions. Example: They may, for example, infiltrate your
website, application without your permission to seek vulnerabilities. They
rarely, if ever, try to harm others. Grey hats do this to obtain notoriety and
reputation within the cyber security industry, which helps them further their
careers as security experts in the long run. This move, on the other hand, harms
the reputation of the organizations whose security flaws or exploits are made
public.

iv. Red Hat Hackers: Also known as eagle-eyed hackers. Red hat hackers want
to stop threat actors from launching unethical assaults. The red hat hackers aim
the same as ethical hackers, but their methods differ, the red hat hackers may
utilize illegal or extreme methods. Red hat hackers frequently use cyberattacks
against threat actors’ systems.

v. Blue Hat Hackers: Safety experts that work outside of the organization are
known as blue hat hackers. Before releasing new software, companies frequently
encourage them to test it and uncover security flaws. Companies occasionally
hold meetings for blue hat hackers to help them uncover flaws in their critical
internet systems. Money and fame aren’t necessarily important to some hackers.
They hack to exact personal vengeance on a person, employer, organization, or
government for a genuine — or perceived — deception. To hurt their
adversaries’ data, websites, or devices, blue hat hackers utilize malicious
software and various cyber threats on their rivals’ devices.

vi. Green Hat Hackers: Green hat hackers aren’t familiar with safety measures
or the internal dynamics of the internet, but they’re quick learners who are driven
(if not desperate) to advance in the hacking world. Although it is unlikely that
they want to damage others, they may do so while “experimenting” with various
viruses and attack strategies. As a result, green hat hackers can be dangerous
since they are frequently unaware of the implications of their activities – or, even
worse, how to correct them.

12
 6. ETHICAL HACKING

1. Definition

Ethical Hacking is all about the hacking process which is based upon morals and ethics.
It doesn’t have any bad intent, rather an intent to help.

The type of hacking which is permitted by the owner of a target system can be called
Ethical Hacking. It involves taking active security measures in order to defend systems
from hackers that have malicious intentions.

Looking from a technical or scientific aspect, it can be defined as the process that involves
bypassing or cracking security measures that are brought into a system by force, so that
the vulnerabilities that are present in the system, the data breaches, and the potential
threats to the system can be found out. Hacking can be called ethical only if the hacker
follows the regional or the organizational cyber laws/rules. This job was previously
referred to as the penetration testing. As can be gauged from the name, it is all about the
process of infiltrating the system and documenting the steps that are involved in it.

2. Need/Importance of Ethical Hacking

As said earlier, with the planet becoming increasingly relied on technology for the littlest
of things with each passing day, securing information and sensitive data has become a
necessity. Here, ethical hacking comes into play. Ethical hacking tries to mimic the
hacker. The ethical hackers try to think like an attacker and with that notion in mind
attempt to perform reconnaissance which is the act of gathering information, obtaining
maximum amount of information which is possible. Once these moral hackers gather
sufficient information, they utilise it to find out the vulnerabilities that are present in a
system. A mix of automated and manual testing is employed for this purpose. Even
sophisticated systems may have difficult or complex countermeasure technologies that
can be vulnerable. The exploits against the vulnerabilities are used by ethical hackers to
show how a malicious attacker could exploit it. Thus, ethical hacking can prevent major
loss of information which may cause further losses like loss in business, loss in reputation
etc.

13
3. Steps Of Ethical Hacking

There are various steps involved in the process of ethical hacking:

i. Reconnaissance: The first step of ethical hacking involves gathering

primary information regarding the system to be hacked. This information
might be about the people and the corporations that are in association with
the target. It can also be about the details about the host system, or the
target network. The goal or the motive of this step is to develop a hack.
This hack must be based upon the exact technology that is used and the
security measures that are utilised by the target system for its security.

ii. Scanning: The next phase involves accessing the network to which the
target system is connected. Majority of the devices, irrespective of whether
they are in a corporation or at houses, are connected to a network. Wi-Fi
or WLAN are the common types of these networks. In the offices, ethernet
connections are laid all the way down for the purpose of maximum
efficiency. This fact can be exploited by the hacker and they may obtain
unauthorized/illegal access to the network of the target host system.
During this process, the network topology as well as the vulnerable ports
are revealed.

iii. Getting the access: After completion of the above two steps, this step is
performed. Based upon the data that is gathered in the above steps hacking
process is started. Here, the hacker breaks into the system, either by
cracking the passwords or bypassing the security/protection measures that
were employed.

iv. Maintain the access: After obtaining the access, it is the duty of the
hacker to make sure that as soon as the primary session is completed, they
are in a position where they still have the access to the system. This is
where a ‘Backdoor’ comes into play. It is a type of exploit or a hack that
is left in the target system purposefully for ease of future access. A

14
 backdoor is critical for if there isn’t a backdoor, it is possible for the system
to apply a better security patch or it can also reset its security steps, and
the hacker might have to implement or develop the hack once again.

v. Clear the tracks: After winding up the attack/hack, it is necessary to get

rid of all the traces which might give away the fact that an incursion took
place. This means that the hacker needs to remove all the backdoors,
executables, or logs that are present in the system that might cause the
attack being tracked back to them or discovered in the first place.

4. Forms Of Ethical Hacking

One may come across 5 forms of ethical hacking while learning about the same:

i. The first one is Web Application hacking. Here, the software over HTTP
(Hyper Text Transfer Protocol) is exploited by taking advantage of the
software’s visual chrome browser or meddling with the URI (Uniform
Resource Identifier), or colluding with HTTP aspects that are not stored
within the URI.

ii. The second one is System Hacking. This type of hacking allows the
hackers to gain access to private computers over a network. Passwords
busting, privilege escalations, malicious software making and packet
sniffings are some of the safety measures that the IT security experts
depend upon to fight these types of threats.

iii. The third one is Web Server Hacking. Web information in real-time is
generated by the application-software database. So, the attackers make use

15
 of Gluing, ping deluge, port scan, sniffing attacks, and other social-
engineering techniques to gain access to the credentials, passcodes,
company information and other vulnerable data from the net application.

iv. The fourth one is the Hacking Wireless networks. A hacker can easily
hack a system from a nearby location since the wireless networks make
use of the radio waves to transmit. In order to identify the identifier and
bodge a wireless network, network snorting is often used.

v. The fifth one is the Social Engineering. It is the art of manipulating the
masses in order that they can find out sensitive information. The criminals
often make use of Eugenics to carry out crimes since it’s generally easier
to attack the organic hard time trusting than it is to work out a way to spoof
the device.

5. Main Concepts of Ethical Hacking

The people who are experts in hacking are said to follow the below given main concepts
of Ethical Hacking:

i. Stay legal: It is extremely necessary to get proper approval before accessing and
performing any security assessment.
ii. Define the scope: It becomes necessary to know the scope of the assessment in
order to make sure that the ethical hacker’s work remains legal and within the
approved boundaries of the organisation.
iii. Report vulnerabilities: It is important to tell the organization about all the
vulnerabilities also known as loopholes that have been found during the
assessment and supply them with remediation advice for resolving these
vulnerabilities.

16
iv. Respect data sensitivity: Reckoning on the sensitivity of data and information,
the ethical hackers may have to agree to a non-disclosure agreement, apart from
the other terms and conditions that are formulated by the assessed company.

6. Code Of Ethics
In order to have ethical hacking as a professional carrier, one needs to pass an
examination conducted by the EC (International Council of E-Commerce
Consultants). However, to retain their license of ethical hacking, each ethical
hackers needs to follow certain guidelines and rules. Most of the Code of Ethics
of the EC are similar to a person’s professional and moral ethics. These may
include telling the company about all the loopholes that are discovered in their
systems, respecting the privacy of the company by not divulging their data and
neither misusing it etc.

7. Limitations
Just like a coin has two sides, Ethical Hacking also has certain limitations as
opposed to its numerous advantages.

a. Boundaries: Ethical hackers cannot cross certain boundaries just for the
sake of making an attack successful.
b. Limitation Of Resources: Unlike the malicious attackers, ethical hackers
are bounded by time to complete the tasks.

17
 7. BIOMETRIC AUTHENTICATION

1. Definition
Biometric comes from two Greek words:
“Bios” which means life and “Metron” which means measure. Whereas,
authentication means to check if something is true or the claims made by
someone are true or not.

Biometric Authentication maybe defined as the security process which

helps to identify a user by making use of their biological input or the
scanning or analysis of some part of their body. It relies on the unique
biological characteristics of the user to verify them. It makes use of
Biometric Identification makes use of biometrics like fingerprints, retina
scanning etc to identify a person.

2. Methods Of Biometric Authentications

There are various ways by which Biometric Authentication is being
performed. These include:

18
a. Chemical biometric devices: DNA (deoxyribonucleic
acid) matching makes use of the genetic material of an individual to
identify them.

b. Visual biometric devices:

i. Retina scans: They identify the user by checking the pattern of

blood vessels at the back of their eyes.

ii. Iris recognition: It makes use of the picture of the iris to identify
people.

iii. Fingerprint scanning: They identify people by matching their

fingerprints.

iv. Hand geometry recognition: It utilises the fact that each

individual has a unique hand shape which does not alter after a
certain age. It is done by measuring the distances between various
parts of the hand, including finger length, finger breadth and the
shape of the valleys between the knuckles.

v. Facial recognition: It makes use of the unique characteristics and

patterns of people's faces to confirm their identity.

vi. Ear authentication: It is based upon the unique ear shape of an

individual. This technology is not as prominent as of now.

vii. Signature recognition: It makes use of pattern recognition to

identify individuals based on their handwritten signature.

c. Vein or vascular scanners:

i. Finger vein ID: It works by identifying individuals based on the
vein patterns in their finger.

d. Behavioural identifiers:

i. Gait: It is based upon how a person walk.

ii. Typing recognition: It identifies individuals with the help of

their unique typing characteristics, including how fast they type.

19
 e. Auditory biometric devices:

i. Voice ID: It makes use of the voice of the user to identify them
and relies on characteristics created by the shape of the mouth and
throat.

3. Components of a Biometric Authentication Device

A Biometric Authentication device has 3 components:
a) a reader/scanning device
b) technology to convert and compare collected biometric data
c) database for storage

4. Advantages
i. This method of verification is convenient and it is far more secure
than passwords or ID cards because it is based upon the unique
biological characteristics of an individual that are difficult to
replicate.
ii. It is non-transferable that is biometric authentication requires its
input is present upon authorization. One cannot transfer or share a
physical biometric digitally.
iii. It is user-friendly and fast. A user can simply place their finger
on a scanner and unlock their phones rather than typing long
passwords or draw patterns. They don’t even have to remember
these combinations anymore.

5. Disadvantages
i. It is expensive as compared to other security processes. There will
be not just the installation cost but maintenance cost as well.
ii. The user’s privacy can be invaded. The digital data that is stored
for this can be used by people harbouring ill-intent.
iii. If any individual has even a slight familiarity with another, they
can use it to log into their information and misuse it. For example,
if person A looks similar to person B, then B can easily unlock A’s
phone if it has facial recognition feature.

20
6. Current Uses
Biometric authentication is currently being used in various places and
fields like:

i. At the airports for security checks

ii. In forensic labs to identify people
iii. In hospitals to keep a better track of the patients’ records and avoid
any mix-ups
iv. In aadhar cards
v. In smart phones face lock and fingerprint lock systems are used

21
 8. CONCLUSION AND DISCUSSION

The report brings into light, the importance of Cybersecurity in today’s

time. It gives the reader an insight into how this technology is being used
widely for protecting the user data. Ethical hacking and Biometric
Authentication have become integral parts of the cybersecurity fields.
While ethical hacking is used to detect vulnerabilities in a system and fend
off attacks, biometric authentication is being used for spotless verifications
of identity.

Although ethical hacking and biometric authentication have proven to be

of great assistance, still there are certain drawbacks to them. They still
need certain engineering aspects to overcome these limitations. Apart from
these, there are other factors like costs, education, lack of technical skills
which hinder them from gaining the popularity that they deserve.
These technologies are like time. If we value them and utilise them
carefully, they will only prove fruitful in the upcoming times. However,
we still need to do a lot of work in order to use these technologies to their
full potential.

22
 REFERENCES

[1] Ahmad Mtair AL Hawamleh [Institute of Public Administration (IPA) Riyadh, Saudi
Arabia]; Alorfi, Almuhannad Sulaiman M King [Abdulaziz University Jeddah, Saudi
Arabia]; Jassim Ahmad Al-Gasawneh [Applied Science Private University (ASU)
Amman, Jordan]; Ghada Al-Rawashdeh [University Malaysia Terengganu (UMT)
Terengganu, Malaysia]. Cyber Security and Ethical Hacking: The Importance of
Protecting User Data. Solid State Technology. Volume: 63. Issue: 5. Publication Year:
2020.

[2] Journal of Network Security. ISSN: 2395-6739 (Online) ISSN: 2321-8517 (Print)
Volume 9, Issue 3, 2021 DOI (Journal): 10.37591/JoNS.

http://computerjournals.stmjournals.in/index.php/JoNS/index

[3] Logan A. Smith; MD Minhaz Chowdhury; Shadman Latif. East Stroudsburg

University, East Stroudsburg, PA, USA; American International University, Dhaka,
Bangladesh. Ethical Hacking: Skills to Fight Cybersecurity Threats. EPiC Series in
Computing. Volume 82, 2022. Pages 102–111. Proceedings of 37th International
Conference on Computers and Their Application.

[4] Regina Hartley; Dawn Medlin; Zach Houlik. Appalachian State University Computer
Information Systems and Supply Chain Boone, NC 28608. Ethical Hacking: Educating
Future Cybersecurity Professionals. 2017 Proceedings of the EDSIG Conference Austin,
Texas USA. ISSN: 2473-3857v3 n434.

[5] Debnath Bhattacharyya, Rahul Ranjan- Computer Science and Engineering

Department Heritage Institute of Technology, Kolkata-700107, India. Farkhod Alisherov
A., Minkyu Choi- Hannam University, Daejeon-306791, Korea. Biometric
Authentication: A Review. International Journal of u- and e- Service, Science and
Technology Vol. 2, No. 3, September, 2009.

[6] Anil K. Jain-Michigan State University; Karthik Nandakumar- Institute for Infocomm
Research, Singapore. Biometric Authentication: System Security and User Privacy.
Identity Sciences.

[7] https://www.linkedin.com/pulse/top-cyber-attacks-2022-so-far-airnowcybersec/

[8] https://intellipaat.com/blog/what-is-ethical-hacking/

23
[9] https://www.synopsys.com/glossary/what-is-ethical-hacking.html

[10] https://www.techtarget.com/searchsecurity/definition/biometric-authentication

24